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Abstract 

This paper investigates the time-bounded version of the reachability problem 
for hybrid automata. This problem asks whether a given hybrid automaton can 
reach a given target location within T time units, where T is a constant rational 
value. We show that, in contrast to the classical (unbounded) reachability problem, 
the timed-bounded version is decidable for rectangular hybrid automata provided 
only non-negative rates are allowed. This class of systems is of practical interest 
and subsumes, among others, the class of stopwatch automata. We also show that 
the problem becomes undecidable if either diagonal constraints or both negative 
and positive rates are allowed. 



1 Introduction 

The formalism of hybrid automata [T1 is a well-established model for hybrid systems 
whereby a digital controller is embedded within a physical environment. The state of 
a hybrid system changes both through discrete transitions of the controller, and con- 
tinuous evolutions of the environment. The discrete state of the system is encoded by 
the location £ of the automaton, and the continuous state is encoded by real-valued 
variables X evolving according to dynamical laws constraining the first derivative X 
of the variables. Hybrid automata have proved useful in many applications, and their 
analysis is supported by several tools 1,61 |5j. 
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A central problem in hybrid-system verification is the reachability problem which 
is to decide if there exists an execution from a given initial location ^ to a given goal 
location £'. While the reachability problem is undecidable for simple classes of hybrid 
automata (such as linear hybrid automata [1]), the decidability frontier of this problem 
is sharply understood |7, 8 1. For example, the reachability problem is decidable for the 
class of initialized rectangular automata where (i) the flow constraints, guards, invari- 
ants and discrete updates are defined by rectangular constraints of the form a < x < b 
OT c < X < d (where a, b, c, d are rational constants), and (ii) whenever the flow con- 
straint of a variable x changes between two locations £ and £', then x is reset along the 
transition from ^ to Of particular interest is the class of timed automata which is a 
special class of initialized rectangular automata 

In recent years, it has been observed that new decidability results can be obtained 
in the setting of time-bounded verification of real-time systems ifTOlfTTI . Given a time 
bound T e N, the time-bounded verification problems consider only traces with dura- 
tion at most T. Note that due to the density of time, the number of discrete transitions 
may still be unbounded. Several verification problems for timed automata and real- 
time temporal logics turn out to be decidable in the time-bounded framework (such as 
the language-inclusion problem for timed automata fITOl). or to be of lower complex- 
ity (such as the model-checking problem for MTL 1 11]). The theory of time-bounded 
verification is therefore expected to be more robust and better-behaved in the case of 
hybrid automata as well. 

Following this line of research, we revisit the reachability problem for hybrid au- 
tomata with time-bounded traces. The time-bounded reachability problem for hybrid 
automata is to decide, given a time bound T G N, if there exists an execution of du- 
ration less than T from a given initial location £ to a given goal location £' . We study 
the frontier between decidability and undecidability for this problem and show how 
bounding time alters matters with respect to the classical reachability problem. In this 
paper, we establish the following results. First, we show that the time-bounded reacha- 
bility problem is decidable for non-initialized rectangular automata when only positive 
rates are allowecQ. The proof of this fact is technical and, contrary to most decidabil- 
ity results in the field, does not rely on showing the existence of an underlying finite 
(bi)simulation quotient. We study the properties of time-bounded runs and show that if 
a location is reachable within T time units, then it is reachable by a timed run in which 
the number of discrete transitions can be bounded. This in turn allows us to reduce the 
time-bounded reachability problem to the satisfiability of a formula in the first-order 
theory of real addition, decidable in EXPSPACE [4|. 

Second, we show that the time-bounded reachability problem is undecidable for 
non-initialized rectangular hybrid automata if both positive and negative rates are al- 
lowed. Third, we show that the time-bounded reachability problem is undecidable for 
initialized rectangular hybrid automata with positive singular flows if diagonal con- 
straints in guards are allowed. These two undecidability results allow to precisely 
characterize the boundary between decidability and undecidability. 

The undecidability results are obtained by reductions from the halting problem for 

'This class is interesting from a practical point of view as it includes, among others, the class of stopwatch 
automata (3), for which unbounded reachability is undecidable. 
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two-counter machines. We present novel encodings of the execution of two-counter 
machines that fit into time-bounded executions of hybrid automata with either negative 
rates, or diagonal constraints. 

2 Definitions 

Let I be the set of intervals of real numbers with endpoints inZU{— oo,+oo}. Let X 
be a set of continuous variables, and let X' = {x' \ x G X] and X = {x \ x € X} be 
the set of primed and dotted variables, corresponding respectively to variable updates 
and first derivatives. A rectangular constraint over X is an expression of the form 
X S / where x belongs to X and I to I. A diagonal constraint over X is a constraint of 
the form x — y^c where x, y belong to X, c to Z, and ~ is in {<,<,=, >, >}. Finite 
conjunctions of diagonal and rectangular constraints over X are called guards, over X 
they are called rate constraints, and over X \J X' they are called update constraints. A 
guard or rate constraint is rectangular if all its constraints are rectangular. An update 
constraint is rectangular if all its constraints are either rectangular or of the form x = 
x'. We denote by Q {X), K {X), U {X) respectively the sets of guards, rate constraints, 
and update constraints over X. 

Linear hybrid automata. A linear hybrid automaton (LHA) is a tuple % = {X, Loo, 
Edges, Rates, Inv, Init) where X = {xi, . . . , x^x\} is a finite set of continuous vari- 
ables; Log is a finite set of locations; Edges C Loc x Q {X) x U (X) x Loc is a 
finite set of edges; Rates : Loc TZ (X) assigns to each location a constraint on the 
possible variable rates; Inv : Loc H> Q (X) assigns an invariant to each location; and 
Init £ Loc is an initial location. For an edge e — {£, g, r, £'), we denote by src (e) and 
trg (e) the location £ and i' respectively, g is called the guard of e and r is the update 
(or reset) of e. In the sequel, we denote by rmax the maximal constant occurring in the 
constraints of {Rates(^) | i G Loc} 

A LHA % is singular if for all locations £ and for all variables x of H, the only 
constraint over x in Rates(£) is of the form x € I where / is a singular interval; it is 
fixed rate if for all variables x of H there exists I^, e I such that for all locations £ 
of H, the only constraint on x in Rates(€) is the constraint x G Ix. It is multirate if 
it is not fixed rate. It is non-negative rate if for all variables x, for all locations i, the 
constraint Rates(£) implies that x must be non-negative. 

Rectangular hybrid automata. A rectangular hybrid automaton (RHA) is a linear 
hybrid automaton in which all guards, rates, and invariants are rectangular. In this case, 
we view each reset r as a function X' i-)- IU{_L} that associates to each variable x & X 
either an interval of possible reset values r{x), or _L when the value of the variable x 
remains unchanged along the transition. When it is the case that r{x) is either _L or a 
singular interval for each x, we say that r is deterministic. In the case of RHA, we can 
also view rate constraints as functions Rates : Loc y. X ^ I that associate to each 
location £ and each variable x an interval of possible rates Rates A rectangular 

hybrid automaton "H is initialized if for every edge (£, g, r, £') of H, for every x £ X,if 
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Ratcs(^)(x) 7^ R;itcs{i'){x) then r{x) ^ _L, i.e., every variable whose rate constraint 
is changed must be reset. 

LHA semantics. A valuation of a set of variables X is a function u : X i-^ M.. We 
further denote by the valuation that assigns to each variable. 

Given an LHA = {X, Loc, Edges, Rates, Inv, Init , X), a state of "H is a pair 
{£, v), where £ € Loc and ly is a valuation of X. The semantics of 7i is defined as 
follows. Given a state s = (£, i^) of H, an edge step {£, v) {£', v') can occur and 
change the state to {£' , v') if e — {£, g, r, £') G Edges, v \= g, v'ix) = v{x) for all x 
s.t. r{x) = _L, and y'{x) G r{x) for all x s.t. r{x) ^ _L; given a time delay t € R"*", 
a continuous time step {£, ly) ^ {£, v') can occur and change the state to (£, v') if 
there exists a vector r = (ri, . . . r\^x\) such that r |= Rates(£), v' = v + [r ■ t), and 
z/ + (r • t') N Inv(^) for all < i' < i. 

A path in H is a finite sequence ei, 62, . . . , e„ of edges such that trg (cj) = src (ej+i) 
for all 1 < i < n — 1. A cycle is a path ei, 62, . . . , e„ such that trg (e„) = src (ei). A 
cycle ei , 62, . . . , e„ is simple if src (ej) ^ src (cj) for alH ^ j. A timed path of ?^ is a 
finite sequence of the form tt = (ti, ei), (f2, 62), . . . , (tn, e„), such that ei, . . . , e„ is a 
path in "H and t j G M"'" for all < i < n. We hft the notions of cycle and simple cycle 
to the timed case accordingly. Given a timed path tt = {t\,e\), {t2, 62), . . . , {tn, e„), 
we denote by 7r[i : j] (with I < i < j < n) the timed path (i^, e^), . . . , {tj, ej). 

A run in H is a sequence sq, (to, ^o), si, (ti, ei), . . . , (t„_i, e„_i), s„ such that: 

• (io,eo), (ti,ei), . . . , (t„_i,e„_i) is a timed path in H, and 

• for all 1 < i < n, there exists a state of H with Sj ^ s • Sj+i- 

Given a run p = sq, (io, eo), . . . , s„, let first (p) = sq = {£o,'^o), last(p) = s„, 
duration (p) = X]"=ri^ |p| = + 1- We say that p is (i) iJnc? if > for all 

1 < i < n — 1; (ii) k -variable -bounded (for fc G N) if 1^0(2;) < A; for aU a; G X, and 

Si {£i, Vi) implies that Vi{x) < A; for all < i < n; {Hi) T -time-bounded (for 
T G N) if duration (p) < T. 

Note that a unique timed path TPath (p) = (fg, eo), (ti, ei), . . . , e„_i), is 

associated to each run p = so,{to,eQ),s\, . . . , e„_i), s„. Hence, we sometimes 
abuse notation and denote a run p with first (p) = ,so, last (p) = s and TPath (p) = tt 
by So — > s- The converse however is not true: given a timed path tt and an initial 
state So, it could be impossible to build a run starting from sq and following tt because 
some guards or invariants along tt might be violated. However, if such a run exists it is 
necessarily unique when the automaton is singular and all resets are deterministic. In 
that case, we denote by Run (so, tt) the function that returns the unique run p such that 
first (p) = So and TPath (p) = tt if it exists, and _L otherwise. 

Time-bounded reachability problem for LHA. While the reachabihty problem asks 
to decide the existence of any timed run that reaches a given goal location, we are only 
interested in runs having bounded duration. 
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Problem 1 (Time-bounded reachability problem) Given an LHA % = {X, Loc, Edges, 
Rates, Inv, Init), a location Goal G Loe and a time bound T G N, the time-bounded 
reachability problem is to decide whether there exists a finite run p — (lnit,0) ^ 
(Goal, •) ofU with duration {p) < T. 

In the following table, we summarize the known facts regarding decidability of 
the reachability problem for LHA, along with the results on time-bounded reachability 
that we prove in the rest of this paper Note that decidability for initialized rectangular 
hybrid automata (IHRA) follows directly from Q. We show decidability for (non- 
initialized) RHA that only have non-negative rates in Section [3] The undecidability of 
the time-bounded reachability problem for RHA and LHA is not a consequence of the 
known results from the literature and require new proofs that are given in Section|4] 



HA classes 


Reachability 


Time-Bounded Reachability 


LHA 


U[1J 


U (see Section|4]l 


RHA 


urn 


U (see SectionlHi 


non-negative rates RHA 


U [71 


D (see SectionO 


IRHA 


D|7| 


D|7| 



Example of time bounded reachability Let H be the hybrid automaton of Fig. [T] 
with the convention that the transition starting from ii and ending in £j is denoted 
Bij. Although not explicitly stated on the figure, we assume that all the locations are 
equipped with the invariant {x < 1) A (y < 1). As this automaton uses only rectangular 
constraints and positive rates, it is in the class for which we show the decidability of 
the time-bounded reachability problem (see Section |3]l. Note that it is non-initiaUzed 
as, for example, variable y is not reset from location £o to location £i while its rate is 
changing, and it is singular, diagonal-free, and multkate. 



y<l-y:=0 




Figure 1 : A singular, diagonal-free, multirate hybrid automaton. 

Assume we want to reach location £4 from (£9, 0, 0) within one time unit. One 
clearly see that the duration of any run starting from £0 and crossing £2 will exceed 
one time unit. An other possibility would be to directly go from £0 to £3. In this case, 
when reaching location £3, after crossing cqs, the value of the variable x (resp. y) is 
(resp. |). Thus, in order to cross 634, one should wait time units, if we do so. 
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Figure 2: A successful run. 



Figure 3: A loop between £o and £i. 



the value of y will reach ji and violate the invariant. It is thus impossible to reach €3 
from (io, 0, 0) without visiting £1. A single visit to £1 is sufficient as the following run 

testifies: (4,0,0) ^ (£i,0,|) (4,^,0) (^3,0,^) 

(^4, 0, m) . The illustration of the evolution of the variables along this run is given 
in Fig. |2| In this picture, the evolution of the x-variable (resp. of the y-variable) is 
represented by the dashed (resp. plain) curve. The evolutions of the valuations of the 
variables along the beginning of the unique run looping between £0 and £1 is illustrated 
in Fig.|3] Looking at that looping run, one could be convinced that T-L does not admit a 
finite bisimulation quotient. 

3 Decidability for RHA with Non-Negative Rates 

In this section, we prove that the time-bounded reachability problem is decidable for 
the class of (non-initialized) rectangular hybrid automata having non-negative rates, 
while it is undecidable for this class in the classical (unbounded) case |7|. Note that 
this class is interesting in practice since it contains, among others, the important class 
of stopwatch automata, a significant subset of LHA that has several useful applica- 
tions O. We obtain decidability by showing that for RHA with non-negative rates, 
a goal location is reachable within T time units iff there exists a witness run of that 
automaton which reaches the goal (within T time units) by a run p of length \p\ < 
where is a parameter that depends on T and on the size of the automaton T-L. 
Time-bounded reachability can thus be reduced to the satisfiability of a formula in the 
first order theory of the reals encoding the existence of runs of length at most and 
reaching Goal. 

For simplicity of the proofs, we consider RHA with the following restrictions: 
(i) the guards do not contain strict inequalities, and (ii) the rates are singular. We argue 
at the end of this section that these restrictions can be made without loss of generality. 
Then, in order to further simplify the presentation, we show how to syntactically sim- 
plify the automaton while preserving the time-bounded reachability properties. The 
details of the constructions can be found in the appendix. 

Proposition 1 Let % be a singular RHA with non-negative rates and without strict 
inequalities, and let Goal be a location of %. We can build a hybrid automaton %' 
with the following the properties: 

Hi T-L' is a singular RHA with non-negative rates 

H2 %' contains only deterministic resets 



Ha for every edge (i, g, r, £') ofH', g is either true or of the form xi = \ /\ X2 = 
I A ■ ■ ■ ^Xk = I, and r = = A • • • A a^J. = 0. 

and a set of locations S ofH' such that % admits a T-time bounded run reaching Goal 
iffH' admits a strict l-variable-bounded, and T-time bounded run reaching S. 

Proof. The proof is given in AppendixlAl □ As a consequence, to prove decidability 
of time-bounded reachability of RHA with non-negative rates, we only need to prove 
that we can decide whether an RHA respecting Hi through H3 admits a strict run p 
reaching the goal within T time units, and where all variables are bounded by 1 along 
P- 

Bounding the number of equalities. As a first step to obtain a witness of time- 
bounded reachability, we bound the number of transitions guarded by equalities along 
a run of bounded duration: 

Proposition 2 Let % be an LHA, with set of variables X and respecting hypothesis Hi 
throughWj,. Let pbe aT-time bounded run of %. Then, p contains at most \X\-rTiieLX-T! 
transitions guarded by an equality. 

Proof. For a contradiction, assume that there exists an execution p of H with M 
transitions containing (at least) an equality where M > \X\ ■ rmax • T. By H3, the 
equalities in the guards are of the form x — 1. In particular, there must exists a variable 
y € X which has been tested equal to one (and thus reset to zero by H3) strictly more 
than rmax • T times. Since all the rates of y are non negative by Hi, the shortest time 
needed to reach the guard y = 1 from the value is jjj^- Along p, the variable y has 
reached the guard y = 1 from strictly more than rmax • T times; this implies that 
duration (p) > rmax • T • — — = T which is a contradiction. □ 

Bounding runs without equalities. Unfortunately, it is not possible to bound the 
number of transitions that do not contain equalities, even along a time-bounded run. 
However, we will show that, given a time-bounded run p without equality guards, we 
can build a run p' that is equivalent to p (in a sense that its initial and target states are 
the same), and whose length is bounded by a parameter depending on the size of the 
automaton. More precisely: 

Proposition 3 Let % be an RHA with non-negative rates. For any 1-variable bounded 
and imax+i bounded run p = sq —>sof7i that contains no equalities in the 

guards, H admits a 1-variable bounded and rmax+i "^'^^ bounded run p' — sq s 
such that \p'\ < 2\X\ + {2\X\ + 1) ■ |Loc| • (2(|Edgcs|+i) ^_ 

Note that Proposition|3]applies only to runs of duration at most j^^^^^-j^f - However, 
this is not restrictive, since any T-time-bounded run can always be split into at most 
T • (rmax +1) subruns of duration at most — ^—tt, provided that we add a self- 
loop with guard true and no reset on every location (this can be done without loss of 
generality as far as reachability is concerned). 
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To prove Proposition |3] we rely on a contraction operation that receives a timed 
path and returns another one of smaller length. Let tt = {ti, ei), {t2, 62), . . . , {tn, e„) 
be a timed path. We define Cnt (tt) by considering two cases. Let j, k, j', k' be four 
positions such that 1 < j < k < j' < k' < n and ej . . . = e'j . . . e'f. is a simple 
cycle. If such j, k, j', k' exist, then let: 

Cnt(7r) = tt[1 : j - 1] • [ej.tj + ty) ■ ■ ■ {ek,tk + t^) ■ n[k + I : j' - 1] • 7r[/c' + 1 : n] 

Otherwise, we let Cnt (tt) = tt. Observe that tt and Cnt (tt) share the same source and 
target locations, even when 7r[A:' + 1 : n] is empty. 

Then, given a timed path tt, we let Cnt° (tt) = tt, Cnt' (tt) = Cnt (Cnt'^^ (tt)) for 
any i > 1, and Cnt* (tt) — Cnt" (tt) where n is the least value such that Cnt" (tt) = 
Cnt"^^ (tt). Clearly, since tt is finite, and since |Cnt (7r)| < |7r| or Cnt (tt) = tt for 
any tt, Cnt* (tt) always exists. Moreover, we can always bound the length of Cnt* (tt). 
This stems from the fact that Cnt* (tt) is a timed path that contains at most one occur- 
rence of each simple cycle. The length of such paths can be bounded using classical 
combinatorial arguments. 

Lemma 1 For any timed path tt of an LHA % with |Loc| locations and | Edges | edges: 
|Cnt* {tt)\ < |Loc| • (2(|Edsos|+i) + i)_ 

Proof. Let Cnt* (tt) = (ti,ei), (t2,e2), . . . , (t„,ej. First, observe that, by definition 
of Cnt*, the actual values of the time delays ti, t2,. . .tn are irrelevant to the length of 
Cnt* (tt), since the 'contraction' is based solely on the edges. Still by definition of 
Cnt*, also observe that the path ei, 62, . . . , e„ does not contain two occurrences of the 
same simple cycle. Thus, the length of Cnt* (tt) is always bounded by the length of the 
maximal path in H that does not contain two occurrences of the same simple cycle. 

In order to compute this value, we first observe that any path a — ei, 62, . . . e„ 
can always be decomposed into subpaths (Ji,a2, ■ . ■ (J2k, o'2fc+i where any a2i+i (for 

< i < /c) is an acyclic path and any (T2j is a simple cycle (for 1 < j < k). This stems 
from the fact that any cycle (whether it is simple or not) can always be decomposed 
into a sequence of simple cycles and acyclic paths. 

Thus, the worst case scenario for a path containing at most one each simple cycle 
is to have a path of the form: ai, <T2, ■ ■ ■ (J2k,cr2k+i where each (T2j+i (for Q < i < k) 
is of maximal length, and {a2j | 1 < J < fc} is the set of all possible simple cycles. By 
definition of a simple cycle, in an automaton with | Edges | and |Loc| locations, there are 
at most 2l^'^s°^l simple cycles, and each of them has at most length |Loc| (otherwise 
the cycle would contain two edges with the some origin and the cycle wouldn't be 
simple). Moreover, in such an automaton, each acyclic path is of length at most |Loc 
too. Hence, the worst case is a path ai,a2, ■ ■ ■ o'2fcj o'2fc+i where, k — 2l^'^scs|^ Jqj. ^jj 

1 < i < k: |(T2i| = |Loc| and for all < j < k: \<72j+i \ — |Loc|, that is a total length 
of k ■ |Loc| + (fc + 1) ■ |Loc| = |Loc| • {2k + I) = |Loc| • (2(|Edgos|+i) _^ □ 

Note that the contraction operation is purely syntactic and works on the timed path 
only. Hence, given a run sq s, we have no guarantee that Run (sq, Cnt* (tt)) ^ 

±. Moreover, even in the alternative, the resulting run might be sq s' with 

s ^ s' . Nevertheless, we can show that Cnt* (vr) preserves some properties of vr. For 
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a timed path tt = {ti, ei), . . . , (t„, e„) of an LHA TL with rate function Rates, we let 
Effect (tt, x) = X]"=i Rates(^i)(a:) • ti, where £i is the initial location of for any 
1 < i < n. Note thus that, for any run {£, v) ^ [I' , v'), for any variable x which is not 
reset along tt, v' {x) — v{x) + Effect (tt, x). It is easy to see that Cnt* (tt) preserves 
the effect of tt. Moreover, the duration of Cnt* (tt) and tt are equal. 

Lemma 2 For any timed path tt: (i) duration (tt) = duration (Cnt* (tt)) and {ii)for 
any variable x: Effect (tt, x) = Effect (Cnt* (tt) , x). 

We are now ready to show, given a timed path tt (with duration (tt) < and 
without equality tests in the guards), how to build a timed path Contraction (tt) that 
fully preserves the values of the variable, as stated in Proposition[3] The key ingredient 
to obtain Contraction (tt) is to apply Cnt* to selected portions of tt, in such a way that 
for each edge e that resets a variable for the first or the last time along tt, the time 
distance between the occurrence of e and the beginning of the timed path is the same 
in both TT and Contraction (tt). 

The precise construction goes as follows. Let tt — (ti, ei), . . . , (t„, e„) be a timed 
path. For each variable x, we denote by S'J the set of positions i such that is either 
tiie first or the last edge in tt to reset x (hence G {0, 1, 2} for any x). Then, we 
decompose tt as: tti • (ti^, CiJ • tt2 ■ (tjj, e^J • • • {ti^^,eij ■ TTk+i with {ii,. . .,ik} = 
UxS^. From this decomposition of tt, we let Contraction (vr) = Cnt* (tti) ■ {ti-^,ei^) ■ 
Cnt* {tt2) ■ {ti^,ei^) ■ ■ ■ {ti^,eij ■ Cnt* (TTk+i). 

We first note that, thanks to Lemma[T] [Contraction (vr)! is bounded. 

Lemma 3 Let % be an LHA with set of variable X, set of edges Edges and set of 
location Loc, and let tt be a timed path ofH. Then | Contraction (tt)! < 2 • |X| + (2 • 

|X|+l)-|Loc|-(2(|Edges| + l)+l)_ 

Proof. The Lemma stems from the fact that | Uj; < 2 • |X| and that, for any j: 
|Cnt* {tTj)\ < |Loc| • (2(|Edgcs|+i) ^ by Lemma □ □ 
In order to obtain Proposition |3] it remains to show that this construction can be 
used to build a run p' that is equivalent to the original run p. By Lemma |2] we know 
that duration (Cnt* {ttj)) = duration (ttj) for any j. Hence, the first and last resets of 
each variable happen at the same time (relatively to the beginning of the timed path) in 
both TT and Contraction (tt). Intuitively, preserving the time of occurrence of the first 
reset (of some variable x) guarantees that x will never exceed 1 along Contraction (tt), 
because duration (Contraction (tt)) = duration (tt) < j;^^^^- Symmetrically, pre- 
serving the last reset of some variable x guarantees that the final value of x will be 
the same in both tt and Contraction (vr). Moreover, we know (see Lemma |2) that the 
contraction function also preserves the value of the variables that are not reset. Thanks 
to these results, we are now ready to prove Proposition |3] 

Proof, [of Proposition [3] Let tt = TPath (p) and let tt' denote Contraction (tt). To 

prove the existence of p', we will choose p' = sq ^ s. Let us first show that 
Run {sqjTt') ^ _L. Since tt and tt' contain no equality test, by H3, this amounts to 
showing that firing tt' from sq will always keep all the variable values < 1. 

Let us consider the decomposition of tt into: tti -(ijj^ , ejj^)-7r2-(ti2 , 6^3) • • • (i^^ , ejfc)' 
TTk+i, as in the definition of Contraction. For any 1 < i < k, let Si — {(.i^Vi) 
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denote the state reached by the run sq > Sj. Symmetrically, let s[ = 

Cnt*(7ri)-(ti^ ,e, j )---Cnt*(7ri) 

{£i, v\) denote the state reached by the run sq > s^, assuming 

it exists. In that case, we observe that, for any variable x which is not reset along 
Cnt* (tti) • (ti^ , ) • • • Cnt* (Tr^), we have: Vi{x) = v[(x), by Lemma|2l 

Then, we proceed by contradiction. Let (tj , ) be an element from tt', let x be a 

variable such that sq (^'i v') and v' {x^ + Rates(f' )(a;) ■ tj+i > 1. We first 

observe that, once x has been reset along tt', its value can never exceed 1 because 
duration (tt') = duration (tt) < ^.^l^^^i - Hence, (tj, Cj) must occur Z^e/o re the first 
reset of x along tt'. We distinguish two cases: 

1. In the case where [tj, ej) occurs in some part Cnt* (tTj^) of the decomposition 
of tt', we know that i^i^^iix) + Effect ((ti^ , Ci^. )Cnt* (TTi^ ) ,x^ > 1, since x is 
not reset along Cnt* {TTi-). However, we have: 

Vi- (x) Ui^^iix) + Effect {{U. , ) • TTi. , x) def. and x not reset 

= i^i.^iix) + Effect ((ti^. ,ei.) ■ iTi. , observation above 

= f'i^^iix) + Effect {it^. , ) ■ Cnt* [-k^. ) , x) Lemma|2] 
> 1 

Hence, p reaches a valuation where the value of x exceeds 1. Contradiction. 

2. The case where [tj ,ej) — {ti^ , e^^. ) for some ik is treated similarly and leads to 
the same contradiction. 

Now, we are sure that p' = sq (^', v') is indeed a 1-variable bounded run. By 
Lemma[3] it has the adequate length. It remains to show that p = sq ^ {(., v) implies 
i' = I and V ~ v' . The first point is true by definition of tt'. For any variable x, let 
%x denote the element (ti^ , e^^ ) of tt where the last reset of x occurs along tt (and thus 
along tt'). We observe that v[x) — Effect (TTi^+i • ei^+i) ■ ■ • TTfe+i, 2:) and that 

v'{x) = Effect (Cnt* (tTj^+i) • (ti^+i, e^^+i) • • • Cnt* (TTk+i) , 2:) since x is not reset 
anymore along those two suffixes. By Lemma|2] we have i'{x) = v'{x). □ 

Handling ' <' and non-singular rates. Let us now briefly explain how we can adapt 
the construction of this section to cope with strict guards and non-singular rates. First, 
when the RHA % contains strict guards, the RHA T-L' of Proposition[T]will also contain 
guards with atoms of the form x < 1. Thus, when building a 'contracted path' p' 
starting from a path p (as in the proof of Proposition |3), we need to ensure that these 
strict guards will also be satisfied along p' . It is easy to use similar arguments to 
establish this: if some guard a; < 1 is not satisfied in p' , this is necessarily before the 
first reset of x, which means that the guard was not satisfied in p either. On the other 
hand, to take non-singular rates into account, we need to adapt the definition of timed 
path. A timed path is now of the form (to, ?'0j eo) • ■ • {tm fn, e„), where each is a 
vector of reals of size \X\, indicating the actual rate that was chosen for each variable 
when the i-th continuous step has been taken. It is then straightforward to adapt the 



10 



definitions of Cnt, Effect and Contraction to take those rates into account and still keep 
the properties stated in Lemma[T]and|3]and in Proposition|3](note that we need to rely 
on the convexity of the invariants in RHA to ensure that proper rates can be found when 
building Cnt (tt)). 

Theorem 1 The time-bounded reachability problem is decidable for the class of rect- 
angular hybrid automata with non-negative rates. 

Proof. Let % be an RHA with non-negative rates, let Goal be one of its location, 
let B be a natural value, and let us show how to determine whether % admits a B- 
time-bounded run reaching Goal. By Proposition[T](and taking into account the above 
remarks to cope with strict guards and rectangular rates), this amounts to determining 
the exists of a strict 1-variable bounded run reaching Goal' in %' (where Goal' and %' 
are defined as in Proposition!!}. By Proposition^ this can be done by considering only 
the runs of length at most 2\X\ + {2\X\ + 1) ■ |Loc| • (2(|Edgcs|+i) _,_ -^^ -^i r^his 
question can be answered by building an FO(M, <, +) formula Lp-u' which is satisfiable 
iff p' exists. Since the satisfiability of FO(R, <, +) is decidable [i4jj, we obtain the 
theorem. □ 



4 Undecidability Results 

In this section, we show that the time-bounded reachability problem for linear hybrid 
automata becomes undecidable if either both positive and negative rates are allowed, 
or diagonal constraints are allowed in the guards. Along with the decidability result 
of Section |3] these facts imply that the class of rectangular hybrid automata having 
positive rates only and no diagonal constraints forms a maximal decidable class. Our 
proofs rely on reductions from the halting problem for Minsky two-counters machines. 

A two-counter machine M consists of a finite set of control states Q, an initial state 
qi E Q, a final state qp E Q, a set C of counters (|C| = 2) and a finite set Sm of 
instructions manipulating two integer-valued counters. Instructions are of the form; 

q : c := c + 1 goto q' , or 

q : if c = then goto q' else c := c — 1 goto q". 

Formally, instructions are tuples {q,a,c,q') where q,q' G Q are source and target 
states respectively, the action a E {inc, dec, 0?} applies to the counter c E C. 

A configuration of M is a pair {q, v) where q E Q and u : C N is a valuation of 
the counters. An accepting run of M is a finite sequence tt = (go, vo)So{qi, vi)Si . . . 
6n-i{qn, Vn) whcrc 5i — {qi, ai, Ci, qi+i) E Sm are instructions and {qi,Vi) are con- 
figurations of M such that qo = qi, vo{c) = for all c G C, qn = qp, and for 
all < i < n, we have Vi+i{c) — Vi{c) for c Ci, and (i) if a = inc, then 
Vi+i{ci) = v,,{c.i) + 1, (ii) if a = dec, then Wj(cj) ^ and Vi+i{ci) = Vi{ci) - 1, 
and (iii) if a = 0?, then Vij^i{ci) = Vi{ci) = 0. The halting problem asks, given a 
two-counter machine M, whether M has an accepting run. This problem is undecid- 
able |i9J. 
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Undecidability for RHA with negative rates. Given a two-counter machine M, 
we construct an RHA T-Lm (thus without diagonal constraints) such that M has an 
accepting run if and only if the answer to the time-bounded reachability problem for 
[T-Lm, Goal) with time bound 1 is Yes. The construction of T-Lm crucially makes use 
of both positive and negative rates. 

Theorem 2 The time-bounded reachability problem is undecidablefor rectangular hy- 
brid automata even if restricted to singular rates. 

Proof. The reduction is as follows. The execution steps of M are simulated in %m 
by a (possibly infinite) sequence of ticks within one time unit. The ticks occur at time 
— Q^ti ~ 1 — j,t2 ~ 1 — -^^T . ■ . The counters are encoded as follows. If the value 
of counter c G C after i execution steps of M is u(c), then the variable Xc in T-Lm has 
value at time ti. Note that this encoding is time-dependent and that the value of 

Xc at time ti is always smaller than 1 — U = and equal to ^ if the counter value 
is 0. To maintain this encoding (if a counter c is not modified in an execution step), 
we need to divide Xc by 4 before the next tick occurs. We use the divisor gadget in 
Figure|4]to do this. Using the diagram in the figure, it is easy to check that the value of 
variable Xc is divided by fc^ where fc is a constant used to define the variable rates. In 
the sequel, we use k = 2 and fc = 4 (i.e., division by 4 and by 16 respectively). Note 
also that the division of i^{xc) by fc^ takes i^{xc) ■ (-^ + -p-) time units, which is less 
than for fc > 2. Since i^(xc) < ^ at step ti, the duration of the division is at 

most ^ = — ti, the duration of the next tick. 

We also use the divisor gadget on a variable xt to construct an automaton At\ck 
that generates the ticks, as in Figure |5] We take k — 2 and we connect and merge the 
incoming and outgoing transition of the divisor gadget. Initially, we require xt = 1. 
Since division of Xt by fc^ = 4 takes i^{xt) ■ (-^ + -p-) ~ •^''^(^t) jjj^g units, it turns 
out that the value of Xt is always 1 — = i at time ti. Therefore, we can produce 
infinitely many ticks within one time unit. 

The automaton "Hm is the product of ^tick with the automaton constructed as fol- 
lows. Assume the set of counters is C = {c, d}. For each state q of AI, we construct 
a location £q with rate Xc — and x^ = 0. For each instruction {q, •, •, q') of M, we 
construct a transition from location £q to £qr through a synchronized product of division 
gadgets to maintain the encoding, as shown in Figure|6]and Figure]?] For example, the 
instruction {q, inc, c, q') is simulated by dividing Xc by 16 = 4^ and Xd by 4, which 
transforms for instance Xc = ^tttt into x'^ = ■ The decrement is implemented 

similarly. Note that the decrement of c requires division by 1 which is trivially realized 
by a location with rate ic — 0. Finally, the zero test is implemented as follows. A 
counter c has value in step i if Xc = 1 — <i = ^. Therefore, it suffices to check that 
Xc — Xt to simulate a zero test. To avoid diagonal constraints, we replace Xc = xt 
by a test xt — Q on the transition guarded by Xc = in the divisor gadget for Xc (as 
suggested in Figure |7]i. 

The set Goal = {£qp} contains the location corresponding to the final state qp 
in M. By the above arguments, there is a one-to-one mapping between the execution 
of M and the run of T-Lm- In particular, the counter values at step i are correctly 



12 




Figure 4: Gadget for division of a variable a; by fc^. The variable y is internal to the 
gadget. The duration of the division is u • (-^ + p-). The guard {xt = 0) has no influence 
here, and it is used only when k = 2. 



Xt := 1 



art/4 



tick 



Figure 5: Tick-gadget to produce infinitely many ticks within one time unit. 




tick 



Figure 6: Increment-gadget to simulate instruction {q, inc, c, q'). 




Figure 7: Zero-gadget to simulate instruction (g, ?0, c, q'). We do use the guard a;t = 
in the divisor gadget for Xc, in order to simulate the diagonal guard {xc = Xt). 



encoded at time ti. Therefore, the location Iq^ is reachable in Hm within one time unit 
if and only if M has an accepting run reaching qp. □ 

Undecidability with diagonal constraints. We now show that diagonal constraints 
also leads to undecidability. The result holds even if every variable has a positive, 
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singular, fixed rate. 

Theorem 3 The time-bounded reachability problem is undecidable for LHA that use 
only singular, strictly positive, and fixed-rate variables. 

Proof. The proof is again by reduction from the halting problem for two-counter ma- 
chines. We describe the encoding of the counters and the simulation of the instructions. 

Given a counter c, we represent c via two auxiliary counters Cbot and ctop such that 
v{c) = w(ctop) - ('(cbot)- 

Incrementing and decrementing c are achieved by incrementing either ctop or Cbot- 
Zero-testing for c corresponds to checking whether the two auxiliary counters have the 
same value. Therefore, we do not need to simulate decrementation of a counter. 

We encode the value of counter Cbot using two real-valued variables x and y, by 
postulating that \x — y\= ^^(^bot) - ^oth x and y have rate i; = y = 1 at all times and 
in all locations of the hybrid automaton. Incrementing Cbot now simply corresponds to 
halving the value of |a; — y|. In order to achieve this, we use two real- valued variables 
z and w with rate z = 2 and w = 3. 

All operations are simulated in 'rounds'. At Ihe beginning of a round, we require 
that the variables x, y, z, w have respective value 0, 0, 0. We first explain how 

we merely maintain the value of Cbot throughout a round: 

1. Starting from the beginning of the round, let all variables evolve until x = z, 
which we detect via a diagonal constraint. Recall that z evolves at twice the rate 
of x. 

2. At that point, x = ^vic^^^t) y = .^vic^,^^) ■ Reset x and z to zero. 

3. Now let all variables evolve until y = z, and reset y, z and w to zero. It is 
easy to see that all variables now have exactly the same values as they had at the 
begirming of the round. Moreover, the invariant |a; — y| = ^vi^^^^^) is maintained 
throughout. 

Note that the total duration of the above round is To increment Cbot> we 

proceed as follows: 

1'. Starting from the beginning of the round, let all variables evolve until x = w. 
Recall that the rate of w is three times that of x. 

2'. At that point, x = and y = = :^^^^^;j+t- Reset x, z, and w to 

zero. 

3'. Now let all variables evolve until y = z, and reset y, z and w to zero. We now 
have x = -^^{^^j+t, and thus the value of \x — y\ has indeed been halved as 
required. 

Note that the total duration of this incrementation round is 2»(4ot) ' where v{cbot) 
denotes the value of counter Cbot prior to incrementation. 

Clearly, the same operations can be simulated for counter ctop (using further aux- 
iliary real- valued variables). Note that the durations of the rounds for Cbot and Ctop are 
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in general different — in fact Cbot-rounds are never faster than ctop-rounds. But because 
they are powers of ^, it is always possible to synchronize them, simply by repeating 
maintain-rounds for Cbot until the round for Ctop has completed. 

Finally, zero-testing the original counter c (which corresponds to checking whether 
Cbot = Ctop) is achieved by checking whether the corresponding variables have the 
same value at the very beginning of a Cbot -round (since the Cbot- and Ctop -rounds are 
then synchronized). 

We simulate the second counter d of the machine using further auxiUary counters 
rfbot and dtop- It is clear that the time required to simulate one instruction of a two- 
counter machine is exactly the duration of the slowest round. Note however that since 
counters Cbot> ctop, c?bot> and dtop are never decremented, the duration of the slowest 
round is at most where p is the smallest of the initial values of Cbot and rfbot- If a 
two-counter machine has an accepting run of length m, then the total duration of the 
simulation is at most 

In order to bound this value, it is necessary before commencing the simulation to 
initialize the counters Cbot> ciop, rfbot> and dtop to a sufficiently large value, for example 
any number greater than log2(m) + 1. In this way, the duration of the simulation is at 
most 1. 

Initializing the counters in this way is straightforward. Starting with zero counters 
(all relevant variables are zero) we repeatedly increment Cbot, ctop, dhot, and dtop 
a nondeterministic number of times, via a self-loop. When each of these counters 
has value k, we can increment all four counters in a single round of duration ^ as 
explained above. So over a time period of duration at most X^^q ^ = 2 the counters 
can be initialized to [log2(m) -|- 1] . 

Let us now combine these ingredients. Given a two-counter machine M, we con- 
struct a hybrid automaton Hm such that M has an accepting run iff Hm has a run of 
duration at most 3 that reaches the final state Goal. 

Hm uses the real-valued variables described above to encode the counters of M. 
In the initialization phase, "Hm nondeterministically assigns values to the auxiliary 
counters, hence guessing the length of an accepting run of M, and then proceeds with 
the simulation of M. This ensures a correspondence between an accepting run of M 
and a time-bounded run of T-Lm that reaches Goal. □ 
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A Constructions to Prove Proposition [D 



In this section, we expose three constructions that allow to prove Proposition [T] These 
three constructions have to be applied successively, starting from an RHA with non- 
negative rates: 

1 . The first construction allows to remove the non-deterministic resets while pre- 
serving time-bounded reachability. 

2. The second construction allows to consider only runs where the variables are 
bounded by 1. Roughly speaking, it amounts to encode the integral parts of he 
variables in the locations and adapting the guards and invariants accordingly. 

3. The third construction allows to consider strict runs only. 

Throughout the section, we assume all the guards to be reduced, i.e.: (?) the same 
atom does not appear twice in the same guard, (ii) the only guard containing true is 
true and (Hi) the only guard containing false is false. Remark that any guard can 
always be replaced by an equivalent reduced guard. For any valuation ly, we denote by 
iy[S/0] the valuation s.t. for any x: iy[S/0]{x) = v{x) if x ^ S and :y[S/0]{x) = 
otherwise. X 

A.l First construction: deterministic resets 

Given an RHA H we show how to construct an RHA H' with only deterministic resets 
such that H is equivalent to TL' with respect to reachability in the sense of Proposition]?] 
The idea of the construction is to replace non-deterministic resets in "H with resets to 
in TL' and to compensate by suitably altering the guards of subsequent transitions in 



Let X = {xi, . . . , Xn} be a set of variables, 2 a set of real intervals including 
the singleton {0}, let g be a guard on X, and let p G I" be an n-tuple of intervals. 
(Intuitively p{j) represents the interval in which variable Xj was last reset with p{j) = 
{0} if Xj has not yet been reset.) Then we inductively define Adapt {g, p) as follows: 



Here, given intervals I , J (ZM., I — J denotes the interval {x\3y^I^z^J:x-\-z = 



Let Ti, = {X, Loc, Edges, Rates', Inv, Init) be a RHA. We construct a new RHA 
DetReset (Ti) = {X, Loc', Edges', Rates, Inv', Init') as follows. Writing I for the set 
of intervals used in variable resets in Ti, we have: 

1. Log' = Loc xl'-^l. 

2. For each {e,g,r,e') G Edges we have that ({£, p), g' ,r' , {£' , p')) G Edges', 
where g' = Adapt (5, p); r'{j) = 1 and p'{j) = p{j) if r(j) = _L; r'{j) = {0} 
and p'{j) = r{j) if r{j) ^ ±. 



H'. 



Adapt (.91 Ag2,p) 
Adapt {xj G /, p) 



Adapt {gi,p) A Adapt {g2,p) 

e (I-pU))- 



y}- 
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3. Rates' = Rates(^). 

4. Inv'(^,p) = Adapt (lnv'(^),p). 

5. Init' = {{£, 0) I ^ G Init}, where = ({0}, . . . , {0}). 

Proposition 4 Let I be a location ofH. Then, H admits a T -time-bounded run reach- 
ing £ iff DetReset(?^) admits a T -time-bounded run reaching some location of the 
form {i,p). 

A.2 Second construction: variables bounded by 1 

Next, we show, given an RHA H with non-negative rates and deterministic resets, how 
we can build an RHA CBound (H) with the same properties, and s.t. we can decide 
time-bounded reachability on T-L by considering only the runs of CBound {'H) with the 
variables bounded by 1. 

The idea of the construction is to encode the integer part of the variable values of H 
in the locations of CBound ("H), and to keep the fractional part (thus, a value in [0, 1]) 
in the variable. To achieve this, locations of CBound CH) are of the form {£, i), where 
^ is a location of 7i, and i is a function that associates a value from {0, . . . , cmax} 
to each variable. Intuitively, i(j) represents the integer part of Xj in the original run 
of H', whereas the fractional part is tracked by Xj (hence all the variables stay in the 
interval [0, 1]). For instance, the configuration {£, 2.1, 3.2) of H is encoded by the 
configuration {{£, (2, 3)), 0.1, 0.2) of CBound ("H). The transitions of CBound (T-L) are 
adapted from the transitions of H by modifying the guards to take into account the 
integer part encoded in the locations. This is achieved thanks to the Adapt function 
described hereunder. Finally, fresh transitions are added to CBound (T-L) that allow to 
reset variables whose value reach 1, while properly adapting the information about the 
integral part. 

Let X = {xi, . . . , Xn} be a set of variables, let gbc a guard on X, and let i = 
{ii,. . . ,in) G be a tuple of natural values. Then, we define inductively Adapt {g, i) 
as follows: 



Adapt {xj < k, i 



false if fc < ij 
) = < Xj = iik = ij ; 
_ true if fc > ij 



Adapt {xj < k, i 



false if A; < ij 

Xj < 1 if k = ij + 1 ; 
true if fc > + 1 



Adapt {xj = k, i 



false if A; < ij 
Xj = if k = ij ; 
false if A; > z, 
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Adapt {xj > k, i) 



false if k > ij + 1 
Xj = 1 if k = ij + 1 ; 
true if k <ii 



Adapt {xj > k, i) 



true if < 

< Xj > a k = ij 
false if k > ij 



Adapt (.91 A ,92, i) = Adapt (.gi, i) A Adapt (.92, i) 

Given an RHA % = {X, Loc, Edges, Rates, Inv, Init) s.t. for any (£, g, r, £') S 
Edges, for any x £ X: r{x) is either [0, 0] or _L (that is, aU the resets are detemainistic 
and to zero), we build the RHA 



3. for any {i.i) e Loc': Rates(^,z) = Rates(^). 

4. Inv'(£, i) = (xi < 1) A ■ • • A (x„ < 1), for each {£, i) € Loc'. 

5. Imt' = {(^,«) Kelnit}. 

Proposition 5 Let T-L be an RHA with non-negative rates, and s. t. for any edge {£, 9, r, £') 
ofH, for any variable x ofH: r{x) is either [0, 0] or _L. Let £ be a location of T-L. 
Then, H admits a T -time-bounded run reaching I i/5f CBound (?^) admits a 1-variable- 
boundedand T -time-bounded run reaching some location of the form {£, i). 

A.3 Third construction: strictly elapsing time 

Last, we explain how we can build an RHA that enforces strictly elapsing time. Given 
an RHA % = {X, Loc, Edges, Rates, Inv, Init) s.t. for any {£, g, r, £') G Edges, for 
any x € X: r{x) is either [0, 0] or _L, we build the RHA 

Strict {n) = {X, Loc', Edges', Rates', Inv', Init') 

as follows. Let 11 be the (finite) set of all non-empty paths of H that contains at most 
one occurrence of each simple loop. Then: 



CBound (n) = {X, Loc', Edges', Rates', Inv', Init') 
as follows (where cmax is the largest constant appearing in H): 

1. Loc' = Loc X {0, ... , cmax}". 

2. For each [£, g, r, £') e Edges we have that: 



{{£, i). Adapt {g, i) , r, {£', i')) e Edges', where i'j 




{{£, i), Xk = 1, {xk}, {£, i')) e Edges', where i'j 



( 



ij if j 7^ 

min(ij + 1, cmax) if j = k. 
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1. Loc' = Loc X n 

2. ((f,^),g,r,(f,V)) G Edges' iff: 

• TT = (£,5i,ri,^i)(£i,52,?'2,-^2) • ■ • (^„_i,5„,r„,f) 

• 9 = ALo 9^[X^|% where X, = {x | 30 < j < ^ : r,(a;) ^ 1} 

• r is s.t. for any a; e X: r(a;) = if there is 1 < j < n s.t. r(j) ^ ±, and 
r(a;) = ± otherwise. 

3. Rates' is s.t. Rates'(^, vr) = Rates(i!) for any tt) G Log'. 

4. Inv' is s.t.: Inv'(£,7r) = Inv(^) A ALi Inv(£0[^»/O] where X,^{x\3Q< 
j <i: rj{x) ^ 1} 

5. Init' ^ {{e,TT) I e e Init}. 

Proposition 6 Lef ?^ /^e an RHA with non-negative rates and s. t. for any edge {£, g,r,£') 
ofH, for any variable x ofH: r{x) is either [0, 0] or L. Let £ be a location ofH. Then, 
H admits a 1-variable-bounded and T -time -bounded run reaching £ iffStuct {%) ad- 
mits a strict, 1-variable-bounded and T -time-bounded run reaching some location of 
the form {£, tt). 

A.4 Proof of Proposition [1] 

By applying successively the three constructions above to any RHA with non-negative 
rates H, one obtain an RHA Ti' = Strict (CBound (DetReset (H))) that has the fol- 
lowing properties: 

1 . H' contains only deterministic resets to zero 

2. All the guards and invariants in H' are either true or conjunctions of atoms of 
the form a; = 1 or y < 1 onljQ. Moreover, each time a variable is tested to 1 by 
an edge, it is reset to zero. 

Moreover, when the original H contains no strict inequalities in the guards and 
invariants, the same holds for the guards and invariants of H', i.e., they will all be 
either true or of the form a;i = lAx2 = lA---Aa;/c = l for {xi, . . . , Xk} C X. 
Thus, H' has the right syntax, and respects Hi through H3. Given a location £ of 
Ti, we let Goal bet the set of all "H' locations of the form {{{£, p),i),S). Thanks to 
Proposition|4]|5]and|6] we are ensured that TL admits a T-time-bounded run reaching i 
iff T-L' admits a strict 1-variable-bounded and T-time-bounded run reaching Goal. □ 



^Remark that the third construction removes from the guards all the atoms of the form x > that are 
introduced by the second one. 
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